From patchwork Wed May 14 18:33:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 62954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04BB2C3ABD8 for ; Wed, 14 May 2025 18:34:33 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.109452.1747247666645110101 for ; Wed, 14 May 2025 11:34:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=UXdIt5tW; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-202505141834237593ac73abb18cb820-8oqfev@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202505141834237593ac73abb18cb820 for ; Wed, 14 May 2025 20:34:23 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=H4wf2sMsp6amx6gzS2JXrcuno55a3uCLLkOQ11Q4BT4=; b=UXdIt5tW5Tnqnj4s5HHngySUS7h1OVJNXWnT9efBXOAph1Xv4u7APiE0UXSDovGofTCsI5 obPVr1N722fKmjJ2qxiewMnI0y1xatcSqMCzIyKaFE0Q2TetSrEH/GewgvT5xfeMYr1kHfoV hyYD6v0kg3da2QCnkk/DCvsNM8hoMWTpJ6yghSWbwaxm+FWdjvQ7hlqwpt5Bywq/qlSxEAvM ao2TtJ8spiB6waJMJhNV4qLtXRESvokqeArlpm8Rf38++AaoJ8/CUFprESzSLhxB9PWTOZfZ CQMCVk2d6BNzDw7pgnas7cjh5JCCh7sKBsvihlRQIIHITSRSapqqndog==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 1/2] dropbear: switch url to mirror Date: Wed, 14 May 2025 20:33:35 +0200 Message-Id: <20250514183336.84167-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 May 2025 18:34:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216520 From: Peter Marko Main download page is currently unavailable, switch to mirror listed in README file of the dropbear repository and release tarballs. This is to allow upgrade due to CVE, it should be reverted later or maybe even not merged and feed the tarball only from Yocto mirror until the main page is up again. Signed-off-by: Peter Marko --- meta/recipes-core/dropbear/dropbear_2024.86.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2024.86.bb index be246a0ccd..3b54542490 100644 --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb +++ b/meta/recipes-core/dropbear/dropbear_2024.86.bb @@ -12,7 +12,7 @@ DEPENDS = "zlib virtual/crypt" RPROVIDES:${PN} = "ssh sshd" RCONFLICTS:${PN} = "openssh-sshd openssh" -SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ +SRC_URI = "https://dropbear.nl/mirror/releases/dropbear-${PV}.tar.bz2 \ file://0001-urandom-xauth-changes-to-options.h.patch \ file://init \ file://dropbearkey.service \ From patchwork Wed May 14 18:33:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 62955 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04BF6C3ABDD for ; Wed, 14 May 2025 18:34:33 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web11.110187.1747247670397611409 for ; Wed, 14 May 2025 11:34:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=cf/tujlB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20250514183427fcc83ca49607f1faec-1z0hpt@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20250514183427fcc83ca49607f1faec for ; Wed, 14 May 2025 20:34:27 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=jzw6dDs6/u9YpLVIUWMzkzxHgN7z5KEGs7YQiJtG8is=; b=cf/tujlBqBeO6FdyT7HCMJSN3U/TLNg9pMHncP5plY3OhGnW19QZQzpzOsq+WPgCGxXTMZ qlWpg5iG74vdt4xx/UfK3WB0bNWKMEjRLEypmxbLQgxi8+HawQUwz93a6+czhWN87ULkDGE/ 7YUETduyNAQmDI0gApQ54dQodhYiZOUSNzW8xnnecc9W6L8ei1/XA1GdNFkZPr+aNQFnfEMz mvvdZgyEFaLGWLeZEXXjooyXCRPSd1v8OHDLRRmTZTYEMHZAZ4/oOqyd3zOybAabtuxVq+7w iApM+XL5hG9j9ohYIJ/L8U4uyLNG2JolHUFoF8EMPbD8iK7vDAxpI2Xw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 2/2] dropbear: upgrade 2024.86 -> dropbear_2025.88 Date: Wed, 14 May 2025 20:33:36 +0200 Message-Id: <20250514183336.84167-2-peter.marko@siemens.com> In-Reply-To: <20250514183336.84167-1-peter.marko@siemens.com> References: <20250514183336.84167-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 May 2025 18:34:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216521 From: Peter Marko Handles CVE-2025-47203 SHA1 algorithms were removed by default, so patch for disabling it was removed together with its package option. Doing it with conditional patch was anyway a bad design. If someone still needs it, it should be done via sed command on the config file. Refreshed remaining patches. Signed-off-by: Peter Marko --- ...1-urandom-xauth-changes-to-options.h.patch | 2 +- .../dropbear-disable-weak-ciphers.patch | 28 ------------------- ...ropbear_2024.86.bb => dropbear_2025.88.bb} | 6 ++-- 3 files changed, 3 insertions(+), 33 deletions(-) delete mode 100644 meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch rename meta/recipes-core/dropbear/{dropbear_2024.86.bb => dropbear_2025.88.bb} (93%) diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 9c1dd3f606..0687e5dab1 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch @@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h index 6e970bb..ccc8b47 100644 --- a/src/default_options.h +++ b/src/default_options.h -@@ -311,7 +311,7 @@ group1 in Dropbear server too */ +@@ -317,7 +317,7 @@ group1 in Dropbear server too */ /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch deleted file mode 100644 index a20781d31d..0000000000 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001 -From: Joseph Reynolds -Date: Thu, 20 Jun 2019 16:29:15 -0500 -Subject: [PATCH] dropbear: new feature: disable-weak-ciphers - -This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers -in the dropbear ssh server and client since they're considered weak ciphers -and we want to support the stong algorithms. - -Upstream-Status: Inappropriate [configuration] -Signed-off-by: Joseph Reynolds ---- - src/default_options.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/default_options.h b/src/default_options.h -index 12768d1..2b07497 100644 ---- a/src/default_options.h -+++ b/src/default_options.h -@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */ - * Small systems should generally include either curve25519 or ecdh for performance. - * curve25519 is less widely supported but is faster - */ --#define DROPBEAR_DH_GROUP14_SHA1 1 -+#define DROPBEAR_DH_GROUP14_SHA1 0 - #define DROPBEAR_DH_GROUP14_SHA256 1 - #define DROPBEAR_DH_GROUP16 0 - #define DROPBEAR_CURVE25519 1 diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb similarity index 93% rename from meta/recipes-core/dropbear/dropbear_2024.86.bb rename to meta/recipes-core/dropbear/dropbear_2025.88.bb index 3b54542490..f8ecb319a4 100644 --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb @@ -20,10 +20,9 @@ SRC_URI = "https://dropbear.nl/mirror/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.socket \ file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ " -SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e" +SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4" PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ @@ -47,10 +46,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" BINCOMMANDS = "dbclient ssh scp" EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' -PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" -PACKAGECONFIG[disable-weak-ciphers] = "" PACKAGECONFIG[enable-x11-forwarding] = "" # This option appends to CFLAGS and LDFLAGS from OE